install_with_python: Secure Python download with sha256 checks.
authorAdrian Cochrane <adrianc@catalyst.net.nz>
Mon, 8 Jun 2015 04:31:38 +0000 (16:31 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Fri, 24 Jul 2015 03:19:05 +0000 (05:19 +0200)
Includes a fallback using md5sum and a refactor to ensure files are cleaned up on failure.

Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 24 05:19:06 CEST 2015 on sn-devel-104

install_with_python.sh

index e545ecc..9335cfe 100755 (executable)
@@ -18,20 +18,39 @@ export LD_LIBRARY_PATH
 VERSION="Python-2.6.5"
 
 do_install_python() {
-       mkdir -p python_install || exit 1
-       rsync -avz samba.org::ftp/tridge/python/$VERSION.tar python_install || exit 1
-       cd python_install || exit 1;
-       rm -rf $VERSION || exit 1
-       tar -xf $VERSION.tar || exit 1
-       cd $VERSION || exit 1
-       ./configure --prefix=$PREFIX/python --enable-shared --disable-ipv6 || exit 1
-       make || exit 1
-       make install || exit 1
-       cd ../.. || exit 1
-       rm -rf python_install || exit 1
+       set -e
+       mkdir -p python_install
+       rsync -avz samba.org::ftp/tridge/python/$VERSION.tar python_install
+       cd python_install
+       rm -rf $VERSION
+
+       # Verify that the download hasn't been corrupted
+       # This checks Python-2.6.5, while more hashes my be added later.
+       if command -v sha256sum
+       then
+            echo "2f1ec5e52d122bf1864529c1bbac7fe6afc10e3a083217b3a7bff5ded37efcc3  Python-2.6.5.tar" > checksums.sha256
+            sha256sum --status -c checksums.sha256
+       else
+            echo "c83cf77f32463c3949b85c94f661c090  Python-2.6.5.tar" > checksums.md5
+            md5sum --status -c checksums.md5
+       fi
+
+       tar -xf $VERSION.tar
+       cd $VERSION
+       ./configure --prefix=$PREFIX/python --enable-shared --disable-ipv6
+       make
+       make install
+       cd ../..
+       rm -rf python_install
+}
+
+cleanup_install_python() {
+       rm -rf python_install
+       exit 1
 }
 
 if [ ! -d $PREFIX/python ]; then
+   trap "cleanup_install_python" 0
    # needs to be installed
    do_install_python
 fi